Last week I wrote Firefox 115 can silently remotely disable my extension on any site. This blog post is a follow-up with more information. First, Mozilla has published a support article about the new quarantined domains feature. Here's an excerpt:
Firefox version 115 introduced Quarantined Domains to protect our users' privacy and security when we discover significant security issues presented by malicious actors. This feature allows us to prevent attacks by malicious actors targeting specific domains when we have reason to believe there may be malicious add-ons we have not yet discovered. Users can also control this behavior for each add-on in the Add-on Manager (about:addons) starting with Firefox version 116. We will be further improving the UI for users in future releases.
Second, and more importantly, Mozilla has already published a remote update to extensions.quarantinedDomains.list, which you can now see in Firefox on the about:config page (unless you've toggled extensions.quarantinedDomains.enabled or blocked network connections to firefox.settings.services.mozilla.com). Below is the list of quarantined domains. (I've added space characters after the commas for readability.)
autoatendimento.bb.com.br, ibpf.sicredi.com.br, ibpj.sicredi.com.br, internetbanking.caixa.gov.br, www.ib12.bradesco.com.br, www2.bancobrasil.com.brCuriously, these are all Brazilian sites, with the .br top-level domain, and they appear to be mostly banks; the sites might all be banks, but some refuse to load to me, so I can't tell. Also curiously, they're exactly the same sites listed in a mysterious Mozilla Extensions git commit from back in May.
const DOMAINS = [
"autoatendimento.bb.com.br",
"ibpf.sicredi.com.br",
"ibpj.sicredi.com.br",
"internetbanking.caixa.gov.br",
"www.ib12.bradesco.com.br",
"www2.bancobrasil.com.br",
];
const RESTRICTED_DOMAINS_PREF = "extensions.webextensions.restrictedDomains";Note that extensions.webextensions.restrictedDomains and extensions.quarantinedDomains.list are two separate settings in Firefox.
I found a Reddit discussion about this from a month ago:
It seems that Mozilla has pushed a system extension (thus hidden from
about:addons, but can be found inabout:support) into many Firefox installations called "Add-ons Restricted Domains".Note that this isn't an experiment, so disabling Normandy will not prevent its installation.
From what I can tell, this system extension allows Mozilla to remotely change the
extensions.webextensions.restrictedDomainspreference in people's Firefox browser.I searched through Bugzilla to try to find a quality explanation to the issues that led to this change, but searching Bugzilla for terms like "Add-ons Restricted Domains" and "restictedDomains" yielded no results.
I did eventually find this unclear page:
https://support.mozilla.org/kb/addons-restricted-domainsWhich reveals that my understanding is likely at least mostly correct. But that page is incredibly vague and does not explain why extensions suddenly need to be completely disabled on some internet websites.
The problem appears to be with some sites, and not with some extensions, as my understanding is that Mozilla already has a way to disable bad extensions.
Overall, I think this functionality is likely a good thing (with good intent, as well), and thus I don't recommend taking steps to remove this system extension. What's missing is better communication as to what's happening and why.
What's going on that led to this sudden change?
Here's an excerpt from the support article mentioned in the Reddit post:
Certain Firefox users may come across a desktop notification indicating that their add-ons have been disabled for particular websites. In Firefox versions 113, 114 and ESR, we have introduced a system add-on developed by Mozilla that disables extensions on specific websites for various reasons, including security concerns.
Our team is working continuously to develop this functionality and to provide users the ability to manage these restrictions for each individual add-on in the future.
Thus, it appears that Mozilla introduced a built-in add-on to disable the Brazilian web sites in Firefox version 113, then they moved the same functionality from the add-on into the main app in Firefox version 115.
We still have no information from Mozilla about why most Firefox add-ons, except for a select few add-ons "monitored by Mozilla", have been disabled on those six Brazilian web sites.